I have a set of users in a Cognito User Pool. These users, and ONLY these users, are allowed to login to my webapp.
Now I want to allow these users, and ONLY these users, to have the option to login either via Facebook or via their login credentials. In other words, I want to allow a person to login to my app using either Facebook or their Cognito login credentials and get access to the same Cognito User account, regardless of whether they logged in using FB or Cognito. Just to be clear, a FB user without a Cognito user account would not be allowed to login to my app. How do I do this? Is this possible? It seems to me that I have to find a way to map each of the Cognito user's Cognito User Pool account with their corresponding Facebook account.
From the Cognito documentation on AWS, it seems that when I add Facebook as a federated Identity Provider, this means a user can login via EITHER Cognito or Facebook, and all Facebook users who can login to Facebook can now login to my app. This is NOT what I want! Just because a person is authorized to use Facebook does not mean they are authorized to use my app!
So, how do I allow a user in my Cognito User Pool to connect his/her Facebook account so that the user has multiple ways of logging in to the same Cognito user account?
Unfortunately, Cognito's design would not permit such a feature to allow only a set of Facebook accounts to log in. When Facebook is enabled for a Cognito User Pool, all valid Facebook users would be able to log in.
Related
I have Cognito setup with login supported from multiple identity providers (Cognito User Pools, Facebook, and Google). In my User Pool configuration I have email used as username. The desired functionality is to have username be unique across all identity providers. i.e. if a user logs in with Facebook and their facebook email is "user#test.com" and then they login with Google and their google email is "user#test.com", either they should not be able to login or their federated identities should be merged.
This is user management for connected devices. I don't want a user to setup a few devices while logged into Facebook, then login with Google and not be able to see their devices from their Facebook account.
I know this gets complicated since you can create a Facebook account with just a phone number.
I know there is a pre-authentication trigger in Cognito User Pool's, but it doesn't seem to be triggering when I login with a federated identity. Is there a trigger than I can use that will fire no matter which identity provider I use (User Pool, Facebook, Google)?
Thanks,
I want to allow users to sign up using either a user-pool identity (email + password) or a Facebook-federated identity.
But I also want them to be able to switch later on: either add Facebook federation if they didn't sign up using Facebook initially, or remove the Facebook link from their account if they initially signed up using Facebook.
Is this possible?
Thanks in advance!
Yes, it is. I'm assuming that Facebook is added directly to the Userpool as an IdP.
Splitting your query into 2 parts:
1. User signs up using username & password. Later, he wants to link his Facebook account
This is pretty easy. Give an option in your UI and use the AdminLinkProviderForUser API to link Facebook/Google account to the user. Now, when the user signs in using this Facebook/Google account next time, Cognito will treat it as the native user & generate token for the same. Of course, the Facebook info will be mentioned in the identities claim. If the user wants to remove this Facebook/Google link later, it is possible using the AdminDisableProviderForUser API call.
2. User signs up using Facebook
This is a bit tricky since Facebook login will automatically create a user in your Userpool with status EXTERNAL_PROVIDER (unlike native users who have CONFIRMED status). As the name suggests, this user can only be logged in using the relevant external provider - Facebook in this case. If the user wants to login using a username password, a new account will have to be created using SignUp API or AdminCreateUser API. Also, this account can not be linked to the previous Facebook account using AdminLinkProviderForUser because a pre-requisite is that no Facebook user with the same details (email etc.) should exist in the Userpool. But at this moment, we have an auto-created Facebook user with EXTERNAL_PROVIDER status.
So, in short, you would have to - create a new user using SignUp or AdminCreateUser API, delete the auto-created Facebook user & Finally link the Facebook account as mentioned in case 1.
I'm trying to develop a React application that will allow users to login with their Azure AD accounts and their Facebook accounts.
The first thing is that I didn't understand about the 2 tabs "User
Pools and Federation Identities". Do I need both to get it done or
just the User Pools is enough?
My goal is just the authentications. I don't want to allow users to access any AWS service. I just want the authentication token.
I already got the user logged in via facebook using the Federation Identities and the Facebook SDK, but I don't know how to keep the user data saved after getting the token from facebook auth. Also is it correct to use the facebook SDK or should I use Cognito to take care of all authentication methods for me?
Do I need both to get it done or just the User Pools is enough?
No. Userpool is more than enough if you just need authentication and do not need to use AWS services.
I already got the user logged in via facebook using the Federation Identities and the Facebook SDK, but I don't know how to keep the user data saved after getting the token from facebook auth.
What user data do you need to save. If you want User's profile data to be saved in Cognito, you need to use Cognito Userpool & not Federated Identities. Add Facebook directly to Userpool. Upon using Facebook login, a user is auto-created in the userpool based on all user data available in the token. See this doc on how to add Facebook to a userpool directly.
Also is it correct to use the facebook SDK or should I use Cognito to take care of all authentication methods for me?
Depends on your use-case. If you just want to add authentication to an app, the best way would be to Add Facebook to a Userpool directly, create an app client in the userpool for your application; enable Facebook for that app client & use Cognito Userpool's built-in UI to login using Facebook. This feature (built-in UI) is called App Integration. After successful Facebook login, a valid token will be sent to your app. Do note that the token sent to your app would be from Cognito.
Client--> Userpool built-in UI --> Redirect to Facebook --> Login using username +password --> Facebook sends its token to Cognito ( https://your-user-pool-domain/oauth2/idpresponse)-->Userpool vends its own token & redirects to the URL mentioned in the redirect_uri.
We are building a foursquare connected app, using Facebook for login. In this scenario, is there a way for our servers to see foursquare access token specific to our app, so that we can associate that token with the user account validated against facebook?
It is not possible to get a list of all access tokens for your app. When a user authorizes your app with Foursquare, you should store their OAuth access token so you can make requests on their behalf. You will follow a similar process to authenticate with Facebook. Your app will need to maintain the association between their Foursquare token and their Facebook token.
If you have lost the Foursquare access token, you can send the user to foursquare.com/oauth2/authenticate, as on this page (https://developer.foursquare.com/overview/auth), and your app will receive another OAuth token for the user, as you did when they originally authorized the app.
Can we customize facebook login/authentication page?
I want to use my own customized pop up for receiving 'Email' and 'Password' input from user so that it is consistent with the GUI of my application. Is there a facebook API to which I can pass the Email/Password details received from user?
Looking at https://developers.facebook.com/docs/reference/api/user/#permissions you cannot "create" new permissions. This has to go through Facebook so they know what permissions have been granted. This ensures that you're not just granting permissions on behalf of a user without them having actively granted them. This therefore stands to reason that you cannot style their page.
Alternatively, you could just make sure users register via an account on your site (You want a password so I assume you don't mean their facebook password) and then ask them to connect their facebook account to it. You would need to ask for their email in your form, get them to login, then connect via facebook and associate their facebook id with their account on your site.